Enterprises have become increasingly dependent on computer network infrastructures to provide services and accomplish mission-critical tasks. Indeed, the performance, security, and efficiency of these network infrastructures have become critical as enterprises increase their reliance on distributed computing environments and wide area computer networks.
To facilitate monitoring, management and control of network environments, a variety of network devices, applications, technologies and services have been developed. For example, certain data flow rate control mechanisms have been developed to provide a means to control and optimize efficiency of data transfer as well as allocate available bandwidth among a variety of business enterprise functionalities. For example, U.S. Pat. No. 6,038,216 discloses a method for explicit data rate control in a packet-based network environment without data rate supervision. Data rate control directly moderates the rate of data transmission from a sending host, resulting in just-in-time data transmission to control inbound traffic and reduce the inefficiencies associated with dropped packets. Bandwidth management devices allow for explicit data rate control for flows associated with a particular traffic classification. For example, U.S. Pat. No. 6,412,000, above, discloses automatic classification of network traffic for use in connection with bandwidth allocation mechanisms. U.S. Pat. No. 6,046,980 discloses systems and methods allowing for application layer control of bandwidth utilization in packet-based computer networks. For example, bandwidth management devices allow network administrators to specify policies operative to control and/or prioritize the bandwidth allocated to individual data flows according to traffic classifications. In addition, certain bandwidth management devices, as well as certain routers, allow network administrators to specify aggregate bandwidth utilization controls to divide available bandwidth into partitions. With some network devices, these partitions can be configured to provide a minimum bandwidth guarantee, and/or cap bandwidth, as to a particular class of traffic. An administrator specifies a traffic class (such as FTP data, or data flows involving a specific user or network application) and the size of the reserved virtual link—i.e., minimum guaranteed bandwidth and/or maximum bandwidth. Such partitions can be applied on a per-application basis (protecting and/or capping bandwidth for all traffic associated with an application) or a per-user basis (controlling, prioritizing, protecting and/or capping bandwidth for a particular user). In addition, certain bandwidth management devices allow administrators to define a partition hierarchy by configuring one or more partitions dividing the access link and further dividing the parent partitions into one or more child partitions.
Furthermore, network security is another concern, such as the detection of computer viruses, as well as prevention of Denial-of-Service (DoS) attacks on, or unauthorized access to, enterprise networks. Accordingly, firewalls and other network devices are deployed at the edge of such networks to filter packets and perform various operations in response to a security threat. In addition, packet capture and other network data gathering devices are often deployed at the edge of, as well as at other strategic points in, a network to allow network administrators to monitor network conditions. Other network devices also perform security or data gathering or monitoring functions, such as packet capture devices.
Many of the systems and technologies discussed above incorporate or utilize traffic classification mechanisms to perform their respective functions. Identification of traffic types associated with data flows traversing a network generally involves the application of matching criteria or rules to explicitly presented or readily discoverable attributes of individual packets, or groups of packets, against an application signature which may comprise a protocol identifier (e.g., TCP, HTTP, UDP, MIME types, etc.), a port number, and even an application-specific string of text in the payload of a packet. Indeed, the rich Layer 7 classification functionality of Packetshaper® bandwidth management devices offered by Packeteer®, Inc. of Cupertino, Calif. is an attractive feature for network administrators, as it allows for accurate identification of a variety of application types.
The through-put of network devices that utilize traffic classification can become a concern, as traffic classification, especially granular classification mechanisms, can include a variety of CPU-intensive operations. If a network device, such as an application traffic management device, becomes a bottleneck, it can defeat the very purpose for which the network device was deployed—namely, increased efficiency and performance. Network device vendors, therefore, must configure their network devices with sufficient computational resources to avoid creating a performance bottleneck. Classification of data flows especially in modern network environments, however, is often one of the most CPU-intensive tasks performed by the network devices. In addition, recent trends seen in many network applications suggest that the resource intensive nature of network traffic classification will only increase. Indeed, an increasing number of network applications employ data compression, encryption technology, and/or proprietary protocols that obscure or prevent identification of various application-specific attributes, often leaving well-known port numbers as the only basis for classification. In fact, as networked applications become increasingly complex, data encryption and/or compression has become a touted security or optimization feature. Indeed, data encryption addresses the concern of security and privacy issues, but also makes it much more difficult for intermediate network devices to identify the applications that employ them. In addition, traffic classification based solely on well-known port numbers can be problematic, especially where a network application uses dynamic port number assignments or incorrectly uses a well-known port number, leading to misclassification of the data flows. In addition, classifying such encrypted network traffic as unknown (or encrypted) and applying a particular rate or admission policy to unknown traffic classes undermines the granular control otherwise provided by bandwidth management devices and, further, may cause legitimate, encrypted traffic to suffer as a result.
Traffic classification mechanisms have to adapt to address these circumstances. For example, U.S. application Ser. No. 10/938,435 discloses network traffic classification mechanisms that classify network traffic based on the behavioral attributes of the data flows. U.S. application Ser. No. 10/720,329 discloses the classification of data flows based on heuristic behavior pattern matching. These classification mechanisms differ from traditional classification mechanisms which classify traffic based on explicitly presented attributes of individual data packets; however, they are quite resource intensive, requiring maintenance and analysis of a significant amount of stateful information for each data flow.
Enterprises network topologies can span a vast array of designs and connection schemes depending on the enterprise's resource requirements, the number of locations or offices to connect, desired service levels, costs and the like. A given enterprise often must support multiple LAN or WAN segments that support headquarters, branch offices and other operational and office facilities. Indeed, enterprise network design topologies often include multiple, interconnected LAN and WAN segments in the enterprise's intranet, and multiple paths to extranets and the Internet. These network topologies often require the deployment of a variety of network devices at each remote facility. In addition, some network systems are end-to-end solutions, such as application traffic optimizers using protocol intervention technologies, requiring network devices at each end of a communications path between, for example, a main office and a remote facility.
In a typical network environment where the classification information is not exchanged, each network device separately analyzes the data flows in order to classify them. Often times, the methods used for classifying network traffic on these network devices will result in the same or similar classification of the data flows traversing the network devices. While the prior art is suitable for its intended objective, the separate classification of data flows traversing a plurality of identical or similar network devices results in certain inefficiencies. In other words, a downstream network device, such as bandwidth management device, located along a communications path traversed by a given data flow fails to take advantage of the classification information derived by an upstream network device in the communications path. Additionally, in fault tolerant networks, redundant networking devices are used in active-and-standby configurations. U.S. application Ser. Nos. 10/611,573 and 10/858,340 disclose the configuration and deployment of application traffic management devices in redundant network topologies. In these deployments, the active and standby network devices transmit synchronization packets to maintain the same state, while one or both network devices forward network traffic. In these configurations, both network devices classify the same traffic independently in order to maintain the same flow state and statistics information. The resources spent classifying the traffic reduces performance, which can become a concern as traffic loads increase.
In light of the foregoing, a need in the art exists for increasing the efficiency and performance of network traffic classification. A need also exists in the art for reducing the resource requirements associated with network traffic classification. Embodiments of the present invention substantially fulfill these needs.